Group in the context of elliptic curve cryptoSummarize the mathematical problem at the heart of breaking a Curve25519 public keyStandardized parameters for elliptic curve cryptographyFinite fields in elliptic curveFast hashing into elliptic curveElliptic Curve ElGamal and DSA - smooth group order and element of large prime orderElliptic curve point multiplication — who is wrong?Number of generators of an elliptic curveBase Point on elliptic curveIs there a way to project one elliptic-curve element to a subgroup with certain size?Elliptic curve with prime subgroup equal to field size
How to calculate the proper layer height multiples?
How to extract a value from each column
How to find a reviewer/editor for my paper?
Are there any space probes or landers which regained communication after being lost?
A property between "separable" and "second countable"
How can I finish my PhD?
Contractor cut joist hangers to make them fit
What is this sticking out of my wall?
Bit floating sequence
How do I decide when to use MAPE, SMAPE and MASE for time series analysis on stock forecasting
After a few interviews, What should I do after told to wait?
pgfgantt: month displayed as single letter
Change-due function
Is it unavoidable taking shortcuts in software development sometimes?
Why can linguists decide which use of language is correct and which is not?
Why would an airport be depicted with symbology for runways longer than 8,069 feet even though it is reported on the sectional as 7,200 feet?
Is there a star over my head?
How to say "In Japan, I want to ..."?
How do you say "to hell with everything" in French?
The pirate treasure of Leatherback Atoll
RANK used in 'where' returns invalid column, but exists in results set
Short story: Interstellar inspector senses "off" nature of planet hiding aggressive culture
Isn't that (two voices leaping to C like this) a breaking of the rules of four-part harmony?
Why do the British opposition parties not want a new election?
Group in the context of elliptic curve crypto
Summarize the mathematical problem at the heart of breaking a Curve25519 public keyStandardized parameters for elliptic curve cryptographyFinite fields in elliptic curveFast hashing into elliptic curveElliptic Curve ElGamal and DSA - smooth group order and element of large prime orderElliptic curve point multiplication — who is wrong?Number of generators of an elliptic curveBase Point on elliptic curveIs there a way to project one elliptic-curve element to a subgroup with certain size?Elliptic curve with prime subgroup equal to field size
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I understand that the discrete log problem is defined as
$G^y bmod p = x$
Speaking generally, $G$ here is a generator for the group zp*, where $G$ is able to generate each element in the group for a given prime modulus.
My question is, in the context of elliptic curve cryptography, is the group the entire set of points that lies on the curve being used?
Assuming this is correct, does the prime used for the modulus have to be larger or smaller than this group of points, or even reside in it?
elliptic-curves discrete-logarithm
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
$endgroup$
add a comment |
$begingroup$
I understand that the discrete log problem is defined as
$G^y bmod p = x$
Speaking generally, $G$ here is a generator for the group zp*, where $G$ is able to generate each element in the group for a given prime modulus.
My question is, in the context of elliptic curve cryptography, is the group the entire set of points that lies on the curve being used?
Assuming this is correct, does the prime used for the modulus have to be larger or smaller than this group of points, or even reside in it?
elliptic-curves discrete-logarithm
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
$endgroup$
$begingroup$
Tip: You can format your posts using LaTeX, it makes equations and whatnot look significantly nicer and more readable
$endgroup$
– Ella Rose♦
8 hours ago
1
$begingroup$
Possible duplicate of Summarize the mathematical problem at the heart of breaking a Curve25519 public key
$endgroup$
– Squeamish Ossifrage
3 hours ago
add a comment |
$begingroup$
I understand that the discrete log problem is defined as
$G^y bmod p = x$
Speaking generally, $G$ here is a generator for the group zp*, where $G$ is able to generate each element in the group for a given prime modulus.
My question is, in the context of elliptic curve cryptography, is the group the entire set of points that lies on the curve being used?
Assuming this is correct, does the prime used for the modulus have to be larger or smaller than this group of points, or even reside in it?
elliptic-curves discrete-logarithm
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
$endgroup$
I understand that the discrete log problem is defined as
$G^y bmod p = x$
Speaking generally, $G$ here is a generator for the group zp*, where $G$ is able to generate each element in the group for a given prime modulus.
My question is, in the context of elliptic curve cryptography, is the group the entire set of points that lies on the curve being used?
Assuming this is correct, does the prime used for the modulus have to be larger or smaller than this group of points, or even reside in it?
elliptic-curves discrete-logarithm
elliptic-curves discrete-logarithm
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
edited 7 hours ago
AleksanderRas
4,1222 gold badges11 silver badges41 bronze badges
4,1222 gold badges11 silver badges41 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
asked 8 hours ago
WoodstockWoodstock
25610 bronze badges
25610 bronze badges
$begingroup$
Tip: You can format your posts using LaTeX, it makes equations and whatnot look significantly nicer and more readable
$endgroup$
– Ella Rose♦
8 hours ago
1
$begingroup$
Possible duplicate of Summarize the mathematical problem at the heart of breaking a Curve25519 public key
$endgroup$
– Squeamish Ossifrage
3 hours ago
add a comment |
$begingroup$
Tip: You can format your posts using LaTeX, it makes equations and whatnot look significantly nicer and more readable
$endgroup$
– Ella Rose♦
8 hours ago
1
$begingroup$
Possible duplicate of Summarize the mathematical problem at the heart of breaking a Curve25519 public key
$endgroup$
– Squeamish Ossifrage
3 hours ago
$begingroup$
Tip: You can format your posts using LaTeX, it makes equations and whatnot look significantly nicer and more readable
$endgroup$
– Ella Rose♦
8 hours ago
$begingroup$
Tip: You can format your posts using LaTeX, it makes equations and whatnot look significantly nicer and more readable
$endgroup$
– Ella Rose♦
8 hours ago
1
1
$begingroup$
Possible duplicate of Summarize the mathematical problem at the heart of breaking a Curve25519 public key
$endgroup$
– Squeamish Ossifrage
3 hours ago
$begingroup$
Possible duplicate of Summarize the mathematical problem at the heart of breaking a Curve25519 public key
$endgroup$
– Squeamish Ossifrage
3 hours ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Short answer: the definition you're using (and, in particular, the notation in it) is specific to multiplicative groups modulo $p$. It makes no sense for elliptic curves, or for most other kinds of groups over which the discrete logarithm problem can be defined. In particular, for elliptic curves, there is no prime modulus $p$.
(Well, OK, for the elliptic curves used in cryptography, there is a prime modulus involved in the definition of the finite field over which the elliptic curve itself is defined. The size of this prime depends on the type of finite field used — it can be anything from $2$ up to the size of the field itself — and is only very indirectly relevant to the hardness of the discrete logarithm problem.)
Longer answer: In mathematics, a group is simply any set $G$ equipped with some binary operator $star$ that satisfies the following properties:
Closure: For every $a, b in G$, the value $a star b$ is defined and belongs to $G$.
Associativity: The equation $(a star b) star c = a star (b star c)$ holds for every $a, b, c in G$.
Identity: There exists an identity element $epsilon in G$ such that $epsilon star a = a star epsilon = a$ holds for every $a in G$.
Invertibility: For every $a in G$ there exists another element $b in G$ (called the group inverse of $a$) such that $a star b = b star a = epsilon$.
If these properties seem fairly broad and abstract, that's because they are. Indeed, math is full of things that satisfy the definition of a group. For a few examples:
The integers $Bbb Z = …, -2, -1, 0, 1, 2, …$ equipped with the operation $+$ (i.e. addition) form a group. The identity element is $0$ and the inverse of $a$ is $-a$.
The positive rational numbers $Bbb Q^+$ equipped with the operation $·$ (i.e. multiplication) also form a group. The identity element is $1$, and the inverse of $a$ is $1/a$.
For any set $S$, the set of invertible functions from $S$ to $S$ form a group, with function composition ($circ$) as the group operator. This group is known as the symmetric group of $S$.
For any $n > 0$, the numbers $0, …, n-1$ equipped with the operation $+_n$ defined as $$a +_n b = (a + b) bmod n = begincasesa + b & textif a + b < n, \ a + b - n & textotherwise endcases$$ also form a group. The identity is still $0$, but the inverse of $a ne 0$ is now $n - a$. This group is isomorphic to the (additive) group of integers modulo $n$, and indeed is one way to define that group (although a more commonly used definition uses congruence classes instead).
For any prime $p$, the numbers $1, …, p-1$ equipped with the operation $·_p$ defined as $$a ·_p b = ab bmod p = ab - kp,$$ where $k$ is the largest integer such that $kp le ab$, also form a group. The identity is $1$, and the inverse of any element $a$ can be calculated e.g. using the extended Euclidean algorithm. This group is isomorphic to (and again, under some definitions, the same as) the multiplicative group of integers modulo $p$.
There are, however, plenty of other ways to form groups as well. For example, for any elliptic curve, it's possible to define a binary operator that makes the set of points on the curve (including the "point at infinity") into a group. The definition is somewhat complicated, so I won't attempt to summarize it here, but it can be shown to satisfy all the properties required of a group.
Now, for any group $G$ with the group operation $star$, we can define an "exponentiation" operator $uparrow$ that maps a group element $g in G$ and a non-negative integer $k in Bbb N$ into the group element $$g uparrow k = underbraceg star g star … star g_k text times.$$ (In particular, $g uparrow 0$ is defined to be the group identity element $epsilon$.)
For any group element $g in G$, the set $$g^Bbb N = epsilon, g, g star g, g star g star g, … = k in Bbb N: g uparrow k$$ of powers of $g$ forms a subgroup of $G$. This is called the subgroup generated by $g$, and also written $langle g rangle$. (For some groups, it's even possible to find a $g in G$ such that $langle g rangle = G$, i.e. $g$ generates the entire group $G$.)
For a given generator $g in G$ and an arbitrary element $a$ of the subgroup $langle g rangle subset G$ generated by $g$, it's then possible to ask the question: what is the smallest (or even any) number $k in Bbb N$ such that $g uparrow k = a$? Such a number $k$ is known as the discrete logarithm of $a$ with respect to $g$.
Now, for some groups, computing the discrete logarithm is very easy. For example, if $G = Bbb Z$ is the additive group of integers, then $g uparrow k = kg$, and the discrete logarithm of $a$ with respect to $g ne 0$ is simply $a mathbin/ g$. The additive group of integers modulo $n$ is not much harder: calculating the discrete logarithm of $a$ there just requires solving the modular congruence $a equiv kg pmod n$, which can be done using the aforementioned extended Euclidean algorithm.
However, for other groups, no easy or efficient way of calculating discrete logarithms is known. The multiplicative groups of integers modulo large primes $p$ are one example of a class of such groups; elliptic curves (over a finite field) are another.
For cryptography, the main advantage of choosing elliptic curves over multiplicative groups of integers is that the most efficient known algorithms for finding discrete logarithms over elliptic curves are even less efficient than those for multiplicative groups of integers. In other words, this means that we can use smaller groups (and thus shorter keys etc.) for the same conjectured level of security.
Of course, technically, we don't know that the discrete logarithm problem is actually hard over either kind of groups, and that there isn't some magic algorithm to solve it efficiently that we just haven't found yet. But a lot of smart people have studied this problem for both kinds of groups, trying to find such an algorithm, and so far (at least as far as publicly available academic literature goes) they haven't really found one. And so far, of the two kinds of groups, elliptic curves seem to be the harder nut to crack.
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
$endgroup$
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73151%2fgroup-in-the-context-of-elliptic-curve-crypto%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Short answer: the definition you're using (and, in particular, the notation in it) is specific to multiplicative groups modulo $p$. It makes no sense for elliptic curves, or for most other kinds of groups over which the discrete logarithm problem can be defined. In particular, for elliptic curves, there is no prime modulus $p$.
(Well, OK, for the elliptic curves used in cryptography, there is a prime modulus involved in the definition of the finite field over which the elliptic curve itself is defined. The size of this prime depends on the type of finite field used — it can be anything from $2$ up to the size of the field itself — and is only very indirectly relevant to the hardness of the discrete logarithm problem.)
Longer answer: In mathematics, a group is simply any set $G$ equipped with some binary operator $star$ that satisfies the following properties:
Closure: For every $a, b in G$, the value $a star b$ is defined and belongs to $G$.
Associativity: The equation $(a star b) star c = a star (b star c)$ holds for every $a, b, c in G$.
Identity: There exists an identity element $epsilon in G$ such that $epsilon star a = a star epsilon = a$ holds for every $a in G$.
Invertibility: For every $a in G$ there exists another element $b in G$ (called the group inverse of $a$) such that $a star b = b star a = epsilon$.
If these properties seem fairly broad and abstract, that's because they are. Indeed, math is full of things that satisfy the definition of a group. For a few examples:
The integers $Bbb Z = …, -2, -1, 0, 1, 2, …$ equipped with the operation $+$ (i.e. addition) form a group. The identity element is $0$ and the inverse of $a$ is $-a$.
The positive rational numbers $Bbb Q^+$ equipped with the operation $·$ (i.e. multiplication) also form a group. The identity element is $1$, and the inverse of $a$ is $1/a$.
For any set $S$, the set of invertible functions from $S$ to $S$ form a group, with function composition ($circ$) as the group operator. This group is known as the symmetric group of $S$.
For any $n > 0$, the numbers $0, …, n-1$ equipped with the operation $+_n$ defined as $$a +_n b = (a + b) bmod n = begincasesa + b & textif a + b < n, \ a + b - n & textotherwise endcases$$ also form a group. The identity is still $0$, but the inverse of $a ne 0$ is now $n - a$. This group is isomorphic to the (additive) group of integers modulo $n$, and indeed is one way to define that group (although a more commonly used definition uses congruence classes instead).
For any prime $p$, the numbers $1, …, p-1$ equipped with the operation $·_p$ defined as $$a ·_p b = ab bmod p = ab - kp,$$ where $k$ is the largest integer such that $kp le ab$, also form a group. The identity is $1$, and the inverse of any element $a$ can be calculated e.g. using the extended Euclidean algorithm. This group is isomorphic to (and again, under some definitions, the same as) the multiplicative group of integers modulo $p$.
There are, however, plenty of other ways to form groups as well. For example, for any elliptic curve, it's possible to define a binary operator that makes the set of points on the curve (including the "point at infinity") into a group. The definition is somewhat complicated, so I won't attempt to summarize it here, but it can be shown to satisfy all the properties required of a group.
Now, for any group $G$ with the group operation $star$, we can define an "exponentiation" operator $uparrow$ that maps a group element $g in G$ and a non-negative integer $k in Bbb N$ into the group element $$g uparrow k = underbraceg star g star … star g_k text times.$$ (In particular, $g uparrow 0$ is defined to be the group identity element $epsilon$.)
For any group element $g in G$, the set $$g^Bbb N = epsilon, g, g star g, g star g star g, … = k in Bbb N: g uparrow k$$ of powers of $g$ forms a subgroup of $G$. This is called the subgroup generated by $g$, and also written $langle g rangle$. (For some groups, it's even possible to find a $g in G$ such that $langle g rangle = G$, i.e. $g$ generates the entire group $G$.)
For a given generator $g in G$ and an arbitrary element $a$ of the subgroup $langle g rangle subset G$ generated by $g$, it's then possible to ask the question: what is the smallest (or even any) number $k in Bbb N$ such that $g uparrow k = a$? Such a number $k$ is known as the discrete logarithm of $a$ with respect to $g$.
Now, for some groups, computing the discrete logarithm is very easy. For example, if $G = Bbb Z$ is the additive group of integers, then $g uparrow k = kg$, and the discrete logarithm of $a$ with respect to $g ne 0$ is simply $a mathbin/ g$. The additive group of integers modulo $n$ is not much harder: calculating the discrete logarithm of $a$ there just requires solving the modular congruence $a equiv kg pmod n$, which can be done using the aforementioned extended Euclidean algorithm.
However, for other groups, no easy or efficient way of calculating discrete logarithms is known. The multiplicative groups of integers modulo large primes $p$ are one example of a class of such groups; elliptic curves (over a finite field) are another.
For cryptography, the main advantage of choosing elliptic curves over multiplicative groups of integers is that the most efficient known algorithms for finding discrete logarithms over elliptic curves are even less efficient than those for multiplicative groups of integers. In other words, this means that we can use smaller groups (and thus shorter keys etc.) for the same conjectured level of security.
Of course, technically, we don't know that the discrete logarithm problem is actually hard over either kind of groups, and that there isn't some magic algorithm to solve it efficiently that we just haven't found yet. But a lot of smart people have studied this problem for both kinds of groups, trying to find such an algorithm, and so far (at least as far as publicly available academic literature goes) they haven't really found one. And so far, of the two kinds of groups, elliptic curves seem to be the harder nut to crack.
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
$endgroup$
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
add a comment |
$begingroup$
Short answer: the definition you're using (and, in particular, the notation in it) is specific to multiplicative groups modulo $p$. It makes no sense for elliptic curves, or for most other kinds of groups over which the discrete logarithm problem can be defined. In particular, for elliptic curves, there is no prime modulus $p$.
(Well, OK, for the elliptic curves used in cryptography, there is a prime modulus involved in the definition of the finite field over which the elliptic curve itself is defined. The size of this prime depends on the type of finite field used — it can be anything from $2$ up to the size of the field itself — and is only very indirectly relevant to the hardness of the discrete logarithm problem.)
Longer answer: In mathematics, a group is simply any set $G$ equipped with some binary operator $star$ that satisfies the following properties:
Closure: For every $a, b in G$, the value $a star b$ is defined and belongs to $G$.
Associativity: The equation $(a star b) star c = a star (b star c)$ holds for every $a, b, c in G$.
Identity: There exists an identity element $epsilon in G$ such that $epsilon star a = a star epsilon = a$ holds for every $a in G$.
Invertibility: For every $a in G$ there exists another element $b in G$ (called the group inverse of $a$) such that $a star b = b star a = epsilon$.
If these properties seem fairly broad and abstract, that's because they are. Indeed, math is full of things that satisfy the definition of a group. For a few examples:
The integers $Bbb Z = …, -2, -1, 0, 1, 2, …$ equipped with the operation $+$ (i.e. addition) form a group. The identity element is $0$ and the inverse of $a$ is $-a$.
The positive rational numbers $Bbb Q^+$ equipped with the operation $·$ (i.e. multiplication) also form a group. The identity element is $1$, and the inverse of $a$ is $1/a$.
For any set $S$, the set of invertible functions from $S$ to $S$ form a group, with function composition ($circ$) as the group operator. This group is known as the symmetric group of $S$.
For any $n > 0$, the numbers $0, …, n-1$ equipped with the operation $+_n$ defined as $$a +_n b = (a + b) bmod n = begincasesa + b & textif a + b < n, \ a + b - n & textotherwise endcases$$ also form a group. The identity is still $0$, but the inverse of $a ne 0$ is now $n - a$. This group is isomorphic to the (additive) group of integers modulo $n$, and indeed is one way to define that group (although a more commonly used definition uses congruence classes instead).
For any prime $p$, the numbers $1, …, p-1$ equipped with the operation $·_p$ defined as $$a ·_p b = ab bmod p = ab - kp,$$ where $k$ is the largest integer such that $kp le ab$, also form a group. The identity is $1$, and the inverse of any element $a$ can be calculated e.g. using the extended Euclidean algorithm. This group is isomorphic to (and again, under some definitions, the same as) the multiplicative group of integers modulo $p$.
There are, however, plenty of other ways to form groups as well. For example, for any elliptic curve, it's possible to define a binary operator that makes the set of points on the curve (including the "point at infinity") into a group. The definition is somewhat complicated, so I won't attempt to summarize it here, but it can be shown to satisfy all the properties required of a group.
Now, for any group $G$ with the group operation $star$, we can define an "exponentiation" operator $uparrow$ that maps a group element $g in G$ and a non-negative integer $k in Bbb N$ into the group element $$g uparrow k = underbraceg star g star … star g_k text times.$$ (In particular, $g uparrow 0$ is defined to be the group identity element $epsilon$.)
For any group element $g in G$, the set $$g^Bbb N = epsilon, g, g star g, g star g star g, … = k in Bbb N: g uparrow k$$ of powers of $g$ forms a subgroup of $G$. This is called the subgroup generated by $g$, and also written $langle g rangle$. (For some groups, it's even possible to find a $g in G$ such that $langle g rangle = G$, i.e. $g$ generates the entire group $G$.)
For a given generator $g in G$ and an arbitrary element $a$ of the subgroup $langle g rangle subset G$ generated by $g$, it's then possible to ask the question: what is the smallest (or even any) number $k in Bbb N$ such that $g uparrow k = a$? Such a number $k$ is known as the discrete logarithm of $a$ with respect to $g$.
Now, for some groups, computing the discrete logarithm is very easy. For example, if $G = Bbb Z$ is the additive group of integers, then $g uparrow k = kg$, and the discrete logarithm of $a$ with respect to $g ne 0$ is simply $a mathbin/ g$. The additive group of integers modulo $n$ is not much harder: calculating the discrete logarithm of $a$ there just requires solving the modular congruence $a equiv kg pmod n$, which can be done using the aforementioned extended Euclidean algorithm.
However, for other groups, no easy or efficient way of calculating discrete logarithms is known. The multiplicative groups of integers modulo large primes $p$ are one example of a class of such groups; elliptic curves (over a finite field) are another.
For cryptography, the main advantage of choosing elliptic curves over multiplicative groups of integers is that the most efficient known algorithms for finding discrete logarithms over elliptic curves are even less efficient than those for multiplicative groups of integers. In other words, this means that we can use smaller groups (and thus shorter keys etc.) for the same conjectured level of security.
Of course, technically, we don't know that the discrete logarithm problem is actually hard over either kind of groups, and that there isn't some magic algorithm to solve it efficiently that we just haven't found yet. But a lot of smart people have studied this problem for both kinds of groups, trying to find such an algorithm, and so far (at least as far as publicly available academic literature goes) they haven't really found one. And so far, of the two kinds of groups, elliptic curves seem to be the harder nut to crack.
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
$endgroup$
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
add a comment |
$begingroup$
Short answer: the definition you're using (and, in particular, the notation in it) is specific to multiplicative groups modulo $p$. It makes no sense for elliptic curves, or for most other kinds of groups over which the discrete logarithm problem can be defined. In particular, for elliptic curves, there is no prime modulus $p$.
(Well, OK, for the elliptic curves used in cryptography, there is a prime modulus involved in the definition of the finite field over which the elliptic curve itself is defined. The size of this prime depends on the type of finite field used — it can be anything from $2$ up to the size of the field itself — and is only very indirectly relevant to the hardness of the discrete logarithm problem.)
Longer answer: In mathematics, a group is simply any set $G$ equipped with some binary operator $star$ that satisfies the following properties:
Closure: For every $a, b in G$, the value $a star b$ is defined and belongs to $G$.
Associativity: The equation $(a star b) star c = a star (b star c)$ holds for every $a, b, c in G$.
Identity: There exists an identity element $epsilon in G$ such that $epsilon star a = a star epsilon = a$ holds for every $a in G$.
Invertibility: For every $a in G$ there exists another element $b in G$ (called the group inverse of $a$) such that $a star b = b star a = epsilon$.
If these properties seem fairly broad and abstract, that's because they are. Indeed, math is full of things that satisfy the definition of a group. For a few examples:
The integers $Bbb Z = …, -2, -1, 0, 1, 2, …$ equipped with the operation $+$ (i.e. addition) form a group. The identity element is $0$ and the inverse of $a$ is $-a$.
The positive rational numbers $Bbb Q^+$ equipped with the operation $·$ (i.e. multiplication) also form a group. The identity element is $1$, and the inverse of $a$ is $1/a$.
For any set $S$, the set of invertible functions from $S$ to $S$ form a group, with function composition ($circ$) as the group operator. This group is known as the symmetric group of $S$.
For any $n > 0$, the numbers $0, …, n-1$ equipped with the operation $+_n$ defined as $$a +_n b = (a + b) bmod n = begincasesa + b & textif a + b < n, \ a + b - n & textotherwise endcases$$ also form a group. The identity is still $0$, but the inverse of $a ne 0$ is now $n - a$. This group is isomorphic to the (additive) group of integers modulo $n$, and indeed is one way to define that group (although a more commonly used definition uses congruence classes instead).
For any prime $p$, the numbers $1, …, p-1$ equipped with the operation $·_p$ defined as $$a ·_p b = ab bmod p = ab - kp,$$ where $k$ is the largest integer such that $kp le ab$, also form a group. The identity is $1$, and the inverse of any element $a$ can be calculated e.g. using the extended Euclidean algorithm. This group is isomorphic to (and again, under some definitions, the same as) the multiplicative group of integers modulo $p$.
There are, however, plenty of other ways to form groups as well. For example, for any elliptic curve, it's possible to define a binary operator that makes the set of points on the curve (including the "point at infinity") into a group. The definition is somewhat complicated, so I won't attempt to summarize it here, but it can be shown to satisfy all the properties required of a group.
Now, for any group $G$ with the group operation $star$, we can define an "exponentiation" operator $uparrow$ that maps a group element $g in G$ and a non-negative integer $k in Bbb N$ into the group element $$g uparrow k = underbraceg star g star … star g_k text times.$$ (In particular, $g uparrow 0$ is defined to be the group identity element $epsilon$.)
For any group element $g in G$, the set $$g^Bbb N = epsilon, g, g star g, g star g star g, … = k in Bbb N: g uparrow k$$ of powers of $g$ forms a subgroup of $G$. This is called the subgroup generated by $g$, and also written $langle g rangle$. (For some groups, it's even possible to find a $g in G$ such that $langle g rangle = G$, i.e. $g$ generates the entire group $G$.)
For a given generator $g in G$ and an arbitrary element $a$ of the subgroup $langle g rangle subset G$ generated by $g$, it's then possible to ask the question: what is the smallest (or even any) number $k in Bbb N$ such that $g uparrow k = a$? Such a number $k$ is known as the discrete logarithm of $a$ with respect to $g$.
Now, for some groups, computing the discrete logarithm is very easy. For example, if $G = Bbb Z$ is the additive group of integers, then $g uparrow k = kg$, and the discrete logarithm of $a$ with respect to $g ne 0$ is simply $a mathbin/ g$. The additive group of integers modulo $n$ is not much harder: calculating the discrete logarithm of $a$ there just requires solving the modular congruence $a equiv kg pmod n$, which can be done using the aforementioned extended Euclidean algorithm.
However, for other groups, no easy or efficient way of calculating discrete logarithms is known. The multiplicative groups of integers modulo large primes $p$ are one example of a class of such groups; elliptic curves (over a finite field) are another.
For cryptography, the main advantage of choosing elliptic curves over multiplicative groups of integers is that the most efficient known algorithms for finding discrete logarithms over elliptic curves are even less efficient than those for multiplicative groups of integers. In other words, this means that we can use smaller groups (and thus shorter keys etc.) for the same conjectured level of security.
Of course, technically, we don't know that the discrete logarithm problem is actually hard over either kind of groups, and that there isn't some magic algorithm to solve it efficiently that we just haven't found yet. But a lot of smart people have studied this problem for both kinds of groups, trying to find such an algorithm, and so far (at least as far as publicly available academic literature goes) they haven't really found one. And so far, of the two kinds of groups, elliptic curves seem to be the harder nut to crack.
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
$endgroup$
Short answer: the definition you're using (and, in particular, the notation in it) is specific to multiplicative groups modulo $p$. It makes no sense for elliptic curves, or for most other kinds of groups over which the discrete logarithm problem can be defined. In particular, for elliptic curves, there is no prime modulus $p$.
(Well, OK, for the elliptic curves used in cryptography, there is a prime modulus involved in the definition of the finite field over which the elliptic curve itself is defined. The size of this prime depends on the type of finite field used — it can be anything from $2$ up to the size of the field itself — and is only very indirectly relevant to the hardness of the discrete logarithm problem.)
Longer answer: In mathematics, a group is simply any set $G$ equipped with some binary operator $star$ that satisfies the following properties:
Closure: For every $a, b in G$, the value $a star b$ is defined and belongs to $G$.
Associativity: The equation $(a star b) star c = a star (b star c)$ holds for every $a, b, c in G$.
Identity: There exists an identity element $epsilon in G$ such that $epsilon star a = a star epsilon = a$ holds for every $a in G$.
Invertibility: For every $a in G$ there exists another element $b in G$ (called the group inverse of $a$) such that $a star b = b star a = epsilon$.
If these properties seem fairly broad and abstract, that's because they are. Indeed, math is full of things that satisfy the definition of a group. For a few examples:
The integers $Bbb Z = …, -2, -1, 0, 1, 2, …$ equipped with the operation $+$ (i.e. addition) form a group. The identity element is $0$ and the inverse of $a$ is $-a$.
The positive rational numbers $Bbb Q^+$ equipped with the operation $·$ (i.e. multiplication) also form a group. The identity element is $1$, and the inverse of $a$ is $1/a$.
For any set $S$, the set of invertible functions from $S$ to $S$ form a group, with function composition ($circ$) as the group operator. This group is known as the symmetric group of $S$.
For any $n > 0$, the numbers $0, …, n-1$ equipped with the operation $+_n$ defined as $$a +_n b = (a + b) bmod n = begincasesa + b & textif a + b < n, \ a + b - n & textotherwise endcases$$ also form a group. The identity is still $0$, but the inverse of $a ne 0$ is now $n - a$. This group is isomorphic to the (additive) group of integers modulo $n$, and indeed is one way to define that group (although a more commonly used definition uses congruence classes instead).
For any prime $p$, the numbers $1, …, p-1$ equipped with the operation $·_p$ defined as $$a ·_p b = ab bmod p = ab - kp,$$ where $k$ is the largest integer such that $kp le ab$, also form a group. The identity is $1$, and the inverse of any element $a$ can be calculated e.g. using the extended Euclidean algorithm. This group is isomorphic to (and again, under some definitions, the same as) the multiplicative group of integers modulo $p$.
There are, however, plenty of other ways to form groups as well. For example, for any elliptic curve, it's possible to define a binary operator that makes the set of points on the curve (including the "point at infinity") into a group. The definition is somewhat complicated, so I won't attempt to summarize it here, but it can be shown to satisfy all the properties required of a group.
Now, for any group $G$ with the group operation $star$, we can define an "exponentiation" operator $uparrow$ that maps a group element $g in G$ and a non-negative integer $k in Bbb N$ into the group element $$g uparrow k = underbraceg star g star … star g_k text times.$$ (In particular, $g uparrow 0$ is defined to be the group identity element $epsilon$.)
For any group element $g in G$, the set $$g^Bbb N = epsilon, g, g star g, g star g star g, … = k in Bbb N: g uparrow k$$ of powers of $g$ forms a subgroup of $G$. This is called the subgroup generated by $g$, and also written $langle g rangle$. (For some groups, it's even possible to find a $g in G$ such that $langle g rangle = G$, i.e. $g$ generates the entire group $G$.)
For a given generator $g in G$ and an arbitrary element $a$ of the subgroup $langle g rangle subset G$ generated by $g$, it's then possible to ask the question: what is the smallest (or even any) number $k in Bbb N$ such that $g uparrow k = a$? Such a number $k$ is known as the discrete logarithm of $a$ with respect to $g$.
Now, for some groups, computing the discrete logarithm is very easy. For example, if $G = Bbb Z$ is the additive group of integers, then $g uparrow k = kg$, and the discrete logarithm of $a$ with respect to $g ne 0$ is simply $a mathbin/ g$. The additive group of integers modulo $n$ is not much harder: calculating the discrete logarithm of $a$ there just requires solving the modular congruence $a equiv kg pmod n$, which can be done using the aforementioned extended Euclidean algorithm.
However, for other groups, no easy or efficient way of calculating discrete logarithms is known. The multiplicative groups of integers modulo large primes $p$ are one example of a class of such groups; elliptic curves (over a finite field) are another.
For cryptography, the main advantage of choosing elliptic curves over multiplicative groups of integers is that the most efficient known algorithms for finding discrete logarithms over elliptic curves are even less efficient than those for multiplicative groups of integers. In other words, this means that we can use smaller groups (and thus shorter keys etc.) for the same conjectured level of security.
Of course, technically, we don't know that the discrete logarithm problem is actually hard over either kind of groups, and that there isn't some magic algorithm to solve it efficiently that we just haven't found yet. But a lot of smart people have studied this problem for both kinds of groups, trying to find such an algorithm, and so far (at least as far as publicly available academic literature goes) they haven't really found one. And so far, of the two kinds of groups, elliptic curves seem to be the harder nut to crack.
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
answered 4 hours ago
Ilmari KaronenIlmari Karonen
38.4k3 gold badges82 silver badges151 bronze badges
38.4k3 gold badges82 silver badges151 bronze badges
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
add a comment |
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
$begingroup$
Wow. I wish I wasn't so stupid.
$endgroup$
– Woodstock
4 hours ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73151%2fgroup-in-the-context-of-elliptic-curve-crypto%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Tip: You can format your posts using LaTeX, it makes equations and whatnot look significantly nicer and more readable
$endgroup$
– Ella Rose♦
8 hours ago
1
$begingroup$
Possible duplicate of Summarize the mathematical problem at the heart of breaking a Curve25519 public key
$endgroup$
– Squeamish Ossifrage
3 hours ago